Merging to release-5.11.0: [TT-16296] fixed keys being set automatically as active (#7642) (#7649)

[TT-16296] fixed keys being set automatically as active (#7642)

## Description

Fixes a regression introduced in PR #7431 where keys without policies
would not respect the is_inactive flag set via API. The issue was that
Apply() unconditionally reset session.IsInactive to false based solely
on policy states, ignoring the session's own inactive state when no
policies were applied. This caused keys without policies to remain
active even after being explicitly deactivated via the API. The fix
preserves the session's IsInactive value when no policies are applied,
while still allowing policies to control the inactive state when
present.

##  Related Issue

  TT-16296

## How This Has Been Tested

  • Added unit test InactiveNoPolicies in internal/policy/apply_test.go
• Added integration tests TestKeyInactiveWithoutPolicy and
TestKeyInactiveWithoutPolicyWithCache in
gateway/mw_key_expired_check_test.go that follow the exact reproduction
steps from the ticket

## Screenshots (if appropriate)

## Types of changes

<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] Refactoring or add test (improvements in base code or adds test
coverage to functionality)

## Checklist

<!-- Go over all the following points, and put an `x` in all the boxes
that apply -->
<!-- If there are no documentation updates required, mark the item as
checked. -->
<!-- Raise up any additional concerns not covered by the checklist. -->

- [ ] I ensured that the documentation is up to date
- [ ] I explained why this PR updates go.mod in detail with reasoning
why it's required
- [ ] I would like a code coverage CI quality gate exception and have
explained why


<!---TykTechnologies/jira-linter starts here-->

### Ticket Details

<details>
<summary>
<a href="https://tyktech.atlassian.net/browse/TT-16296" title="TT-16296"
target="_blank">TT-16296</a>
</summary>

|         |    |
|---------|----|
| Status  | In Dev |
| Summary | Key: Inactive keys are still active |

Generated at: 2025-12-15 17:48:43

</details>

<!---TykTechnologies/jira-linter ends here-->


Co-authored-by: Patric Vormstein <pvormstein@googlemail.com>

[TT-16296]:
https://tyktech.atlassian.net/browse/TT-16296?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Co-authored-by: andrei-tyk <97896463+andrei-tyk@users.noreply.github.com>
Co-authored-by: Patric Vormstein <pvormstein@googlemail.com>

Author: 3 people

gateway/mw_key_expired_check_test.go

@@ -0,0 +1,132 @@
+package gateway
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/TykTechnologies/tyk/config"
+	"github.com/TykTechnologies/tyk/storage"
+	"github.com/TykTechnologies/tyk/test"
+	"github.com/TykTechnologies/tyk/user"
+)
+
+// TestKeyInactiveWithoutPolicy tests the scenario where a key without policy
+// is set to inactive via API and should be rejected by the gateway.
+// This is a regression test for TT-16296.
+func TestKeyInactiveWithoutPolicy(t *testing.T) {
+	// Disable session cache to ensure we always read fresh data from storage
+	conf := func(globalConf *config.Config) {
+		globalConf.LocalSessionCache.DisableCacheSessionState = true
+	}
+
+	ts := StartTest(conf)
+	defer ts.Close()
+
+	// Create API that requires authentication
+	api := BuildAPI(func(spec *APISpec) {
+		spec.UseKeylessAccess = false
+		spec.Proxy.ListenPath = "/"
+	})[0]
+
+	ts.Gw.LoadAPI(api)
+
+	// Step 1: Create API KEY without POLICY
+	key := CreateSession(ts.Gw, func(s *user.SessionState) {
+		// Ensure no policies are applied
+		s.ApplyPolicies = nil
+	})
+
+	authHeader := map[string]string{"Authorization": key}
+
+	// Step 2: Send traffic - should succeed
+	ts.Run(t, test.TestCase{
+		Path:    "/",
+		Headers: authHeader,
+		Code:    http.StatusOK,
+	})
+
+	// Step 3: Update key to set is_inactive: true
+	hashKeys := ts.Gw.GetConfig().HashKeys
+	hashedKey := storage.HashKey(key, hashKeys)
+
+	// Get current session and set it to inactive
+	session, _ := ts.Gw.GlobalSessionManager.SessionDetail("default", hashedKey, true)
+	session.IsInactive = true
+
+	err := ts.Gw.GlobalSessionManager.UpdateSession(hashedKey, &session, 60, true)
+	if err != nil {
+		t.Fatalf("Failed to update session: %v", err)
+	}
+
+	// Step 4: Send traffic - should be rejected with 403 Forbidden
+	ts.Run(t, test.TestCase{
+		Path:      "/",
+		Headers:   authHeader,
+		Code:      http.StatusForbidden,
+		BodyMatch: "Key is inactive",
+	})
+}
+
+// TestKeyInactiveWithoutPolicyWithCache tests the same scenario but with
+// session cache enabled to ensure cache invalidation works correctly.
+func TestKeyInactiveWithoutPolicyWithCache(t *testing.T) {
+	// Enable session cache (default behavior)
+	conf := func(globalConf *config.Config) {
+		globalConf.LocalSessionCache.DisableCacheSessionState = false
+	}
+
+	ts := StartTest(conf)
+	defer ts.Close()
+
+	// Create API that requires authentication
+	api := BuildAPI(func(spec *APISpec) {
+		spec.UseKeylessAccess = false
+		spec.Proxy.ListenPath = "/"
+	})[0]
+
+	ts.Gw.LoadAPI(api)
+
+	// Step 1: Create API KEY without POLICY
+	key := CreateSession(ts.Gw, func(s *user.SessionState) {
+		// Ensure no policies are applied
+		s.ApplyPolicies = nil
+	})
+
+	authHeader := map[string]string{"Authorization": key}
+
+	// Step 2: Send traffic - should succeed (this also caches the session)
+	ts.Run(t, test.TestCase{
+		Path:    "/",
+		Headers: authHeader,
+		Code:    http.StatusOK,
+	})
+
+	// Step 3: Update key to set is_inactive: true
+	hashKeys := ts.Gw.GetConfig().HashKeys
+	hashedKey := storage.HashKey(key, hashKeys)
+
+	// Get current session and set it to inactive
+	session, _ := ts.Gw.GlobalSessionManager.SessionDetail("default", hashedKey, true)
+	session.IsInactive = true
+
+	err := ts.Gw.GlobalSessionManager.UpdateSession(hashedKey, &session, 60, true)
+	if err != nil {
+		t.Fatalf("Failed to update session: %v", err)
+	}
+
+	// Flush the session cache to simulate cache invalidation that happens
+	// when keys are updated via the API
+	cacheKey := key
+	if hashKeys {
+		cacheKey = storage.HashStr(key, storage.HashMurmur64)
+	}
+	ts.Gw.SessionCache.Delete(cacheKey)
+
+	// Step 4: Send traffic - should be rejected with 403 Forbidden
+	ts.Run(t, test.TestCase{
+		Path:      "/",
+		Headers:   authHeader,
+		Code:      http.StatusForbidden,
+		BodyMatch: "Key is inactive",
+	})
+}

internal/policy/apply.go

@@ -111,7 +111,12 @@ func (t *Service) Apply(session *user.SessionState) error {
 	}
 
 	// Only the status of policies applied to a key should determine the validity of the key.
-	sessionInactiveState := false
+	// If no policies are applied, preserve the session's own IsInactive state.
+	sessionInactiveState := session.IsInactive
+	hasPolicies := len(policyIDs) > 0
+	if hasPolicies {
+		sessionInactiveState = false
+	}
 
 	for _, polID := range policyIDs {
 		policy, ok := storage.PolicyByID(polID)

internal/policy/apply_test.go

@@ -504,6 +504,17 @@ func testPrepareApplyPolicies(tb testing.TB) (*policy.Service, []testApplyPolici
 	tests = append(tests, aclPartitionTCs...)
 
 	inactiveTCs := []testApplyPoliciesData{
+		{
+			"InactiveNoPolicies", []string{},
+			"", func(t *testing.T, s *user.SessionState) {
+				t.Helper()
+				if !s.IsInactive {
+					t.Fatalf("key without policies should preserve IsInactive=true from session")
+				}
+			}, &user.SessionState{
+				IsInactive: true,
+			}, false,
+		},
 		{
 			"InactiveMergeOne", []string{"tags1", "inactive1"},
 			"", func(t *testing.T, s *user.SessionState) {